Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-15410

Publication date:
14/07/2026
Post-authentication improper control of generation of code ('Code Injection') vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could potentially enable a remote authenticated attacker as administrator to execute arbitrary OS commands.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-5040

Publication date:
14/07/2026
TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.<br /> <br /> Successful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-47767

Publication date:
14/07/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.46 until 5.4.52, 6.4.40, 7.4.12, and 8.0.12, the CVE-2024-50340 fix gated runtime argv parsing on empty($_GET), but parse_str() and the web SAPI can disagree, allowing a crafted query string to leave $_GET empty while $_SERVER[&amp;#39;argv&amp;#39;] still carries attacker-controlled --env or --no-debug flags that change APP_ENV or APP_DEBUG. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-47301

Publication date:
14/07/2026
Improper access control in Microsoft Configuration Manager allows an authorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-47304

Publication date:
14/07/2026
Improper verification of cryptographic signature in .NET allows an unauthorized attacker to bypass a security feature over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-47302

Publication date:
14/07/2026
Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2026-47303

Publication date:
14/07/2026
Authentication bypass by assumed-immutable data in ASP.NET Core allows an authorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-47300

Publication date:
14/07/2026
Incorrect implementation of authentication algorithm in ASP.NET Core allows an authorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-47305

Publication date:
14/07/2026
Protection mechanism failure in Visual Studio allows an unauthorized attacker to execute code locally.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2026

CVE-2026-45754

Publication date:
14/07/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, the Mailjet mailer bridge and LOX24 notifier bridge webhook parsers received configured webhook secrets but did not verify them, allowing unauthenticated POST requests to inject forged Mailjet and LOX24 event payloads. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2026

CVE-2026-45304

Publication date:
14/07/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser resolved YAML collection aliases recursively, allowing a small untrusted YAML input to expand into a multi-gigabyte structure and exhaust memory. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026

CVE-2026-45305

Publication date:
14/07/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser::cleanup() used regular expressions with overlapping quantifiers for YAML directive, comment, and document marker cleanup, allowing crafted input to make parsing hang for an arbitrarily long time. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2026